MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cd7ca54fc2b418d2f82093ed798cdd02478830c5b3fb956e59dd2d325e55682. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cd7ca54fc2b418d2f82093ed798cdd02478830c5b3fb956e59dd2d325e55682
SHA3-384 hash: 9fdd6ad8cf598503f839893c1410ce0865c25ed9a40e2d15339742731f6a7feca0576fffece0f51765a83fd1116d3974
SHA1 hash: 5d3d56dfa64c89905fcf0b4386fca6eb2bb452de
MD5 hash: 5e87bb63fb7409f0de2dbc75fb2500a4
humanhash: solar-six-hamper-july
File name:INVS #14320023.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:852'480 bytes
First seen:2023-03-15 08:04:26 UTC
Last seen:2023-03-20 07:36:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:0zAuodiJGRTwdW1bjsMluDOmaPrkTQWvmi8suUq2Lz3Xp2cHUwJ8ER06nghD:aoYJTsVpuDOmkomsBz3Xp2qJjR06n
Threatray 3'194 similar samples on MalwareBazaar
TLSH T17505124CA23E6757CE3E33FB9426606083B16A904211E36E9DCA29E71FE2FD4D905C57
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon f8ec96b2b296ccf0 (8 x AgentTesla, 4 x SnakeKeylogger, 3 x Formbook)
Reporter cocaman
Tags:exe FormBook payment

Intelligence

File Origin
# of uploads :
3
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
INVS #14320023.exe
Verdict:
Malicious activity
Analysis date:
2023-03-15 08:05:42 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/fdfc9b5f-7703-4e68-a35d-bfd3b4bdffed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/374483/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1889.6243.12987.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64117c323120829676f98e43/reports/4749ff4d-f0ce-4b16-be1f-c809994dfef9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9cd7ca54fc2b418d2f82093ed798cdd02478830c5b3fb956e59dd2d325e55682
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/77cd2492-9a18-4e11-be15-dc953ac37121
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1193965
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 826866 Sample: INVS_#14320023.exe Startdate: 15/03/2023 Architecture: WINDOWS Score: 100 31 www.jingduxueyue.site 2->31 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 5 other signatures 2->45 11 INVS_#14320023.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\INVS_#14320023.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 INVS_#14320023.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 1 15->18 injected process9 dnsIp10 33 www.tacairservice.com 168.76.164.168, 49692, 80 ULTRANETSERVICOSEMINTERNETLTDABR South Africa 18->33 35 jordanheritagita.online 62.4.23.119, 49693, 80 OnlineSASFR France 18->35 37 www.jordanheritagita.online 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 raserver.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9cd7ca54fc2b418d2f82093ed798cdd02478830c5b3fb956e59dd2d325e55682/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-15 08:05:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ttl4uvh4fnay2l4cbe7npggn2ashraymlm73svxftxjngjpfk2ba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3130fe0040aca5135a6c22251a313fcaca05c404082727d8191545fccfcd3a02
Formbook
4422661ccc0d1ca90ea0427fbe9eacc398d819ef1f557c163a686fa127444c3a
Formbook
4baf37305afca03942dfd3f13c173cd45d587cd358adde2b6f1596fc761eaae2
Formbook
68561f9a18130d1f0e2a8ca14b9e9344a7f624bb599a766a5b41e16fd728e192
Formbook
8510156c681956fa592f4e2f346a7cd02ce7a00a31264dc2106e6e0b5a4b267b
Formbook
9580bddf76a3d9179e760fba40850e85f6dc3baad1356165b78cf160bad11f28
Formbook
99ec8b8e93e7a91dab1a16b9353333fa340d52569de4b88f5703bbc5a666211c
Formbook
9be3965a8f8378e3cbf5b59240ba53b6be33f4c3677e2112b32cf6ed6592e5cf
Formbook
c104d364eec79cad7a9c9040ff30d46e6b2bf694b3c8f80130bb599345fc3d76
Formbook
cc2ffcb49e5ff1b4f1be2c0c8f5bef3cf51caeef5fcd8be8a6367174b7dd8063
Formbook
+ 3'184 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:dr62 rat spyware stealer trojan
Link:
https://tria.ge/reports/230315-jyv2bseb7v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
d8f0232a14c9ab086e670933be20e0e50598fbbcbf6971b45e2b2913e1330a86
MD5 hash:
8255e269995d02bb36722998bf8077b5
SHA1 hash:
4b6df72b84f912b11d0289e05d95cf9335e34e79
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/2ebd824f-37c5-4bba-9084-5555c12599e7/
Parent samples :
9784d4f3af63382e92105496844b25bc4e42e92305b7707c3fd6451c98c391f6
a158cb66af4de52a4845e42738378e8548dbed62f816084554dfb20deeb4058d
9cd7ca54fc2b418d2f82093ed798cdd02478830c5b3fb956e59dd2d325e55682
d47eb4bff603d2015f8dc6512a51e8b37e42c53d7760ceb0bcf34ea875200d14
9895575b7f29abeddb92d3c078a06929876212e7980605727e46b2e88974a7ec
SH256 hash:
7bed8f50a422573a64642fbe86276c031593041f8318ce4733305e68d59fd836
MD5 hash:
db6420be29f5cdd1638fbbfcf7d04a71
SHA1 hash:
feaec3a9aba5c6924c736b97337fa21bb5dc7313
Link:
https://www.unpac.me/results/2ebd824f-37c5-4bba-9084-5555c12599e7/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/2ebd824f-37c5-4bba-9084-5555c12599e7/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
33d91b55523ea98812546d5d8fdd30b349433a85e572115e41c3c19e5fd750a5
MD5 hash:
0d609d904c2c72453e913b0ccaa7e712
SHA1 hash:
2c0092dc3b56033f7f8881a850c288459f312e57
Link:
https://www.unpac.me/results/2ebd824f-37c5-4bba-9084-5555c12599e7/
SH256 hash:
045c07fb1fa7bd06e06da02b4932d1d76fb7a66978b0bae80b079a8a8ee1c155
MD5 hash:
9afe6eff7287004282c3c60b66413804
SHA1 hash:
2764dc093e7e211c147c228e296a44b921bcb1aa
Link:
https://www.unpac.me/results/2ebd824f-37c5-4bba-9084-5555c12599e7/
SH256 hash:
9cd7ca54fc2b418d2f82093ed798cdd02478830c5b3fb956e59dd2d325e55682
MD5 hash:
5e87bb63fb7409f0de2dbc75fb2500a4
SHA1 hash:
5d3d56dfa64c89905fcf0b4386fca6eb2bb452de
Link:
https://www.unpac.me/results/2ebd824f-37c5-4bba-9084-5555c12599e7/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9cd7ca54fc2b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9cd7ca54fc2b418d2f82093ed798cdd02478830c5b3fb956e59dd2d325e55682

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

ace 51df534958124aa2bdf39d17923291312a9b2c693520ba381eaecffee9ba1487

Formbook

Executable exe 9cd7ca54fc2b418d2f82093ed798cdd02478830c5b3fb956e59dd2d325e55682

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 51df534958124aa2bdf39d17923291312a9b2c693520ba381eaecffee9ba1487
Cape
Cape
https://www.capesandbox.com/analysis/374483/
  
Dropped by
MD5 6c59d26d32af827dfb91fc8669c2c3fe

Comments